International Data Transfers

Where is your personal data processed?

Your personal data may be transferred to and processed in any of the following five regions, each for a specific purpose:

🇦🇪

United Arab Emirates

Primary operations

Our headquarters. Primary application servers, customer support team, account management, order processing. Most of your active session data lives here.

🇵🇰

Pakistan

Secondary support

Secondary customer support team for extended-hours coverage and Urdu-language assistance. Has access to support tickets and order information for the specific cases they handle.

🇯🇵

Japan

Auction record retrieval

Our partner networks that retrieve original auction records sit on Japanese infrastructure. When you submit a chassis number, the lookup query is sent to Japan-based databases. Only the chassis number itself is transmitted — no buyer identity, no payment information.

🇺🇸

United States

Analytics & marketing platforms

Hosted analytics (Google Analytics — IP-anonymised) and marketing platforms (Meta/Facebook Pixel, Google Ads, TikTok Pixel — only with your cookie consent). Page-view and event data may be transferred to US-based servers operated by these providers.

🇪🇺

European Union

Payment processing

Some payment processing is routed through Stripe and PayPal infrastructure that may include EU-based servers (depending on your billing country). Card data is handled entirely by these providers — JP Sheet never sees or stores it.

🌐

Global CDN edge

Cloudflare cache

Static assets (CSS, images, fonts, public pages) are served via Cloudflare's global CDN, which has edge servers in 300+ cities. Cached content is non-personal. No authenticated or payment pages are cached on the edge.

Which vendor processes what data?

A complete vendor-by-vendor breakdown for transparency:

Vendor	What they process	Region
Stripe	Card numbers, expiry, CVV, billing email, amounts	US / EU (depends on your country)
PayPal	PayPal account email, transaction amounts	US / EU / Luxembourg
Google Analytics	Anonymised IP, page views, events (consent only)	US
Meta / Facebook Pixel	Conversion events, hashed identifiers (consent only)	US / Ireland
Google Ads	Conversion events, ad click identifiers (consent only)	US
TikTok Pixel	Conversion events (consent only)	US / EU / Singapore
Cloudflare	IP addresses, request metadata (for security & CDN)	Global edge network
Gemini (Google AI)	Chassis number text only (for chassis decoder lookups)	US
Japanese auction partners	Chassis number only	Japan
Namecheap / hosting	Application data, database	UAE (primary)

What safeguards protect your data when it crosses borders?

For data transfers out of the EU, UK and other regulated regions, we rely on the following safeguards:

📜 Standard Contractual Clauses (SCCs)

SCCs are EU-approved contracts that legally bind any vendor to GDPR-level data protection — no matter where they process data. Stripe, PayPal, Google, Meta, TikTok and Cloudflare all maintain SCCs with their EU customers, which means our use of them inherits these protections.

🛡️ Adequacy decisions

Some non-EU countries have received "adequacy decisions" from the European Commission, meaning the EU has formally confirmed that their data protection laws meet GDPR-equivalent standards. Where your data is transferred to one of these countries, no further safeguard is required.

Countries with current adequacy decisions: UK, Switzerland, Japan, South Korea, Canada (commercial), New Zealand, Israel, Argentina, Uruguay, Andorra, Faroe Islands, Guernsey, Isle of Man, Jersey, US (under the EU-US Data Privacy Framework).

🔐 Encryption everywhere

All data transfers between regions happen over TLS 1.3 (the latest standard). At rest, sensitive data is encrypted using industry-standard algorithms (AES-256 or better). This protects your data even if a vendor's transmission line is intercepted.

📋 Vendor due diligence

We only use vendors that publish their privacy and security commitments publicly, undergo independent audits (SOC 2, ISO 27001, PCI DSS where applicable), and provide GDPR-compliant data processing agreements.

Can I request a copy of these safeguards?

Yes. Under GDPR Article 46, you have the right to request a copy of the appropriate safeguards (such as the SCCs) used to transfer your data outside the EU/UK.

To request a copy, email [email protected] with the subject line "Data Transfer Safeguards Request". We will provide the relevant documentation (or a link to the publicly available version) within 30 days.

What are your rights regarding international transfers?

If you live in the EU, UK, or another GDPR-equivalent jurisdiction, you have specific rights when your data is transferred internationally:

Right to be informed — you have the right to know where your data goes (which this page provides)
Right to object — you can object to transfers to specific countries if you have grounds (e.g. concerns about local surveillance laws)
Right to lodge a complaint — if you believe a transfer was unlawful, you can complain to your country's data protection authority
Right to access the safeguards — as described above

For a full list of your data rights, see our Data Rights page.